Matt, This is the info from Dshield. Was this the company you talked to
before? If it is - what was the email address they gave you to report to?
If it is different that abuse at rogers.com I can update the information.
According to the info on this ip there have been over 20,000 - 445 reports
and it doesn't indicate that an abuse has been sent on this IP. I see 445
scans from Roger's Cable ip's frequently. If you get any info from them
about these scans I would appreciate it if you would let me know. Thanks,
Deb
CustName: Rogers Cable Inc. Glph
Address: 1 Mount Pleasant Road
City: Toronto
StateProv: ON
PostalCode: M4Y-2Y5
Country: CA
RegDate: 2003-04-24
Updated: 2003-04-24
NetRange: 24.102.141.0 - 24.102.141.127
CIDR: 24.102.141.0/25
NetName: ON-ROG-9-GLPH-4
NetHandle: NET-24-102-141-0-1
Parent: NET-24-100-0-0-1
NetType: Reassigned
Comment:
RegDate: 2003-04-24
Updated: 2003-04-24
TechHandle: AD30-ARIN
TechName: Taylor, Phillip
TechPhone: +1-416-935-4729
TechEmail: abuse at rogers.com
Deborah F Hale
Certified Business Continuity Professional/Computer Security Specialist
BCP Enterprise, Inc
Telephone: (712) 252-0361
www.bcpenterprise.com
-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Matthew Harrell
Sent: Wednesday, June 25, 2003 7:11 AM
To: Dshield Mailing List
Subject: [Dshield] CONSTANT 445/tcp scans from a node
We have been receiving a barrage of 445/tcp scans fro 24.102.141.32. It's
been going on for three days now. The computer scans our entire external
subnet for hours. Then the activity will stop for a while, and start up
again a couple hours later. I'm also pretty sure this is the same node that
was doing this to us a week or two ago. At that time, not only did Dshield
send the automated abuse e-mail, but I also called his ISP. I was told to
send e-mail to a particular address (which, if I remember correctly, was
different than the one Dshield sent to). I got no reply, but the scans
stopped shortly after sending the e-mail.
When the scans started up again, dshield sent another abuse e-mail with no
response. I'll try sending another myself like I did before--maybe the IP
address is slightly different. It's frustrating that there's really nothing
else I can do about this. We're not vulnerable to this, but it sure is
clogging up my Snort logs! Has anyone else experienced such repetitive
445/tcp scans from one node over the course of days?
-----------------
Matt Harrell
Plexus Systems
mhar at plex.com
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list